diff --git a/ansible-dependencies-bullseye-sudo.yml b/ansible-dependencies-bullseye-sudo.yml index b52ca42..83c7d7f 100644 --- a/ansible-dependencies-bullseye-sudo.yml +++ b/ansible-dependencies-bullseye-sudo.yml @@ -5,4 +5,4 @@ roles: - ansible_dependencies-bullseye - - ansible_user + - ansible_user_debian diff --git a/ansible-dependencies-bullseye.yml b/ansible-dependencies-bullseye.yml index ea592ef..e4d970b 100644 --- a/ansible-dependencies-bullseye.yml +++ b/ansible-dependencies-bullseye.yml @@ -12,4 +12,4 @@ roles: - ansible_dependencies-bullseye - - ansible_user + - ansible_user_debian diff --git a/ansible-dependencies-centos-7-sudo.yml b/ansible-dependencies-centos-7-sudo.yml new file mode 100644 index 0000000..4346143 --- /dev/null +++ b/ansible-dependencies-centos-7-sudo.yml @@ -0,0 +1,8 @@ +--- + +- hosts: initial_setup + gather_facts: false + + roles: + - ansible_dependencies-centos-7 + - ansible_user_centos diff --git a/ansible-dependencies-centos-7.yml b/ansible-dependencies-centos-7.yml new file mode 100644 index 0000000..cba3926 --- /dev/null +++ b/ansible-dependencies-centos-7.yml @@ -0,0 +1,15 @@ +--- + +- hosts: initial_setup + remote_user: root + become: false + gather_facts: false + + vars_prompt: + + - name: ansible_ssh_pass + prompt: "Give root's password here" + + roles: + - ansible_dependencies-centos-7 + - ansible_user_centos diff --git a/files/homedirs/axel/_bash_profile b/files/homedirs/axel/_bash_profile new file mode 100644 index 0000000..fcc09cb --- /dev/null +++ b/files/homedirs/axel/_bash_profile @@ -0,0 +1,29 @@ +# ~/.profile: executed by Bourne-compatible login shells. + +if [ "$BASH" ]; then + if [ -f ~/.bashrc ]; then + . ~/.bashrc + fi +fi + +# set PATH so it includes user's private bin if it exists +if [ -d "$HOME/bin" ] ; then + PATH="$HOME/bin:$PATH" +fi +if [ -d "$HOME/bin/admin-stuff" ] ; then + PATH="$HOME/bin/admin-stuff:$PATH" +fi + +# this is for the midnight-commander +# to become the last directory the midnight commander was in +# as the current directory when leaving the midnight commander +# +if [ -f "/etc/profile.d/mc.sh" ]; then + source /etc/profile.d/mc.sh +elif [ -f "/usr/share/mc/bin/mc.sh" ]; then + source /usr/share/mc/bin/mc.sh +elif [ -f "/usr/lib/mc/bin/mc.sh" ] ; then + source /usr/lib/mc/bin/mc.sh +fi + +mesg n diff --git a/files/homedirs/back/_bash_profile b/files/homedirs/back/_bash_profile new file mode 100644 index 0000000..9ae1778 --- /dev/null +++ b/files/homedirs/back/_bash_profile @@ -0,0 +1,27 @@ +# ~/.profile: executed by Bourne-compatible login shells. + +if [ "$BASH" ]; then + if [ -f ~/.bashrc ]; then + . ~/.bashrc + fi +fi + +# set PATH so it includes user's private bin if it exists +if [ -d "$HOME/bin" ] ; then + PATH="$HOME/bin:$PATH" +fi +if [ -d "$HOME/bin/admin-stuff" ] ; then + PATH="$HOME/bin/admin-stuff:$PATH" +fi + +# this is for the midnight-commander +# to become the last directory the midnight commander was in +# as the current directory when leaving the midnight commander +# +if [ -f "/etc/profile.d/mc.sh" ]; then + source /etc/profile.d/mc.sh +elif [ -f "/usr/share/mc/bin/mc.sh" ]; then + source /usr/share/mc/bin/mc.sh +elif [ -f "/usr/lib/mc/bin/mc.sh" ] ; then + source /usr/lib/mc/bin/mc.sh +fi diff --git a/files/homedirs/chris/_bash_profile b/files/homedirs/chris/_bash_profile new file mode 100644 index 0000000..9ae1778 --- /dev/null +++ b/files/homedirs/chris/_bash_profile @@ -0,0 +1,27 @@ +# ~/.profile: executed by Bourne-compatible login shells. + +if [ "$BASH" ]; then + if [ -f ~/.bashrc ]; then + . ~/.bashrc + fi +fi + +# set PATH so it includes user's private bin if it exists +if [ -d "$HOME/bin" ] ; then + PATH="$HOME/bin:$PATH" +fi +if [ -d "$HOME/bin/admin-stuff" ] ; then + PATH="$HOME/bin/admin-stuff:$PATH" +fi + +# this is for the midnight-commander +# to become the last directory the midnight commander was in +# as the current directory when leaving the midnight commander +# +if [ -f "/etc/profile.d/mc.sh" ]; then + source /etc/profile.d/mc.sh +elif [ -f "/usr/share/mc/bin/mc.sh" ]; then + source /usr/share/mc/bin/mc.sh +elif [ -f "/usr/lib/mc/bin/mc.sh" ] ; then + source /usr/lib/mc/bin/mc.sh +fi diff --git a/files/homedirs/chris/_profile b/files/homedirs/chris/_profile index edc7a33..71115e9 100644 --- a/files/homedirs/chris/_profile +++ b/files/homedirs/chris/_profile @@ -25,6 +25,9 @@ fi # to become the last directory the midnight commander was in # as the current directory when leaving the midnight commander # -#. /usr/lib/mc/bin/mc.sh -. /usr/share/mc/bin/mc.sh +if [ -f "/usr/share/mc/bin/mc.sh" ]; then + source /usr/share/mc/bin/mc.sh +elif [ -f "/usr/lib/mc/bin/mc.sh" ] ; then + source /usr/lib/mc/bin/mc.sh +fi diff --git a/files/homedirs/root/_bash_profile b/files/homedirs/root/_bash_profile new file mode 100644 index 0000000..fcc09cb --- /dev/null +++ b/files/homedirs/root/_bash_profile @@ -0,0 +1,29 @@ +# ~/.profile: executed by Bourne-compatible login shells. + +if [ "$BASH" ]; then + if [ -f ~/.bashrc ]; then + . ~/.bashrc + fi +fi + +# set PATH so it includes user's private bin if it exists +if [ -d "$HOME/bin" ] ; then + PATH="$HOME/bin:$PATH" +fi +if [ -d "$HOME/bin/admin-stuff" ] ; then + PATH="$HOME/bin/admin-stuff:$PATH" +fi + +# this is for the midnight-commander +# to become the last directory the midnight commander was in +# as the current directory when leaving the midnight commander +# +if [ -f "/etc/profile.d/mc.sh" ]; then + source /etc/profile.d/mc.sh +elif [ -f "/usr/share/mc/bin/mc.sh" ]; then + source /usr/share/mc/bin/mc.sh +elif [ -f "/usr/lib/mc/bin/mc.sh" ] ; then + source /usr/lib/mc/bin/mc.sh +fi + +mesg n diff --git a/files/homedirs/root/_profile b/files/homedirs/root/_profile index 1a97c71..83db64f 100644 --- a/files/homedirs/root/_profile +++ b/files/homedirs/root/_profile @@ -1,24 +1,34 @@ -# ~/.profile: executed by Bourne-compatible login shells. +# ~/.profile: executed by the command interpreter for login shells. +# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login +# exists. +# see /usr/share/doc/bash/examples/startup-files for examples. +# the files are located in the bash-doc package. -if [ "$BASH" ]; then - if [ -f ~/.bashrc ]; then - . ~/.bashrc - fi +# the default umask is set in /etc/profile; for setting the umask +# for ssh logins, install and configure the libpam-umask package. +#umask 022 + +# if running bash +if [ -n "$BASH_VERSION" ]; then + # include .bashrc if it exists + if [ -f "$HOME/.bashrc" ]; then + . "$HOME/.bashrc" + fi fi # set PATH so it includes user's private bin if it exists if [ -d "$HOME/bin" ] ; then - PATH="$HOME/bin:$PATH" -fi -if [ -d "$HOME/bin/admin-stuff" ] ; then - PATH="$HOME/bin/admin-stuff:$PATH" + PATH="$HOME/bin:$PATH" fi # this is for the midnight-commander # to become the last directory the midnight commander was in # as the current directory when leaving the midnight commander # -# . /usr/lib/mc/bin/mc.sh -. /usr/share/mc/bin/mc.sh +if [ -f "/usr/share/mc/bin/mc.sh" ]; then + source /usr/share/mc/bin/mc.sh +elif [ -f "/usr/lib/mc/bin/mc.sh" ] ; then + source /usr/lib/mc/bin/mc.sh +fi mesg n diff --git a/files/homedirs/sysadm/_bash_profile b/files/homedirs/sysadm/_bash_profile new file mode 100644 index 0000000..9ae1778 --- /dev/null +++ b/files/homedirs/sysadm/_bash_profile @@ -0,0 +1,27 @@ +# ~/.profile: executed by Bourne-compatible login shells. + +if [ "$BASH" ]; then + if [ -f ~/.bashrc ]; then + . ~/.bashrc + fi +fi + +# set PATH so it includes user's private bin if it exists +if [ -d "$HOME/bin" ] ; then + PATH="$HOME/bin:$PATH" +fi +if [ -d "$HOME/bin/admin-stuff" ] ; then + PATH="$HOME/bin/admin-stuff:$PATH" +fi + +# this is for the midnight-commander +# to become the last directory the midnight commander was in +# as the current directory when leaving the midnight commander +# +if [ -f "/etc/profile.d/mc.sh" ]; then + source /etc/profile.d/mc.sh +elif [ -f "/usr/share/mc/bin/mc.sh" ]; then + source /usr/share/mc/bin/mc.sh +elif [ -f "/usr/lib/mc/bin/mc.sh" ] ; then + source /usr/lib/mc/bin/mc.sh +fi diff --git a/files/homedirs/webadmin/_bash_profile b/files/homedirs/webadmin/_bash_profile new file mode 100644 index 0000000..9ae1778 --- /dev/null +++ b/files/homedirs/webadmin/_bash_profile @@ -0,0 +1,27 @@ +# ~/.profile: executed by Bourne-compatible login shells. + +if [ "$BASH" ]; then + if [ -f ~/.bashrc ]; then + . ~/.bashrc + fi +fi + +# set PATH so it includes user's private bin if it exists +if [ -d "$HOME/bin" ] ; then + PATH="$HOME/bin:$PATH" +fi +if [ -d "$HOME/bin/admin-stuff" ] ; then + PATH="$HOME/bin/admin-stuff:$PATH" +fi + +# this is for the midnight-commander +# to become the last directory the midnight commander was in +# as the current directory when leaving the midnight commander +# +if [ -f "/etc/profile.d/mc.sh" ]; then + source /etc/profile.d/mc.sh +elif [ -f "/usr/share/mc/bin/mc.sh" ]; then + source /usr/share/mc/bin/mc.sh +elif [ -f "/usr/lib/mc/bin/mc.sh" ] ; then + source /usr/lib/mc/bin/mc.sh +fi diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index fbca840..e5e43ea 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -840,11 +840,15 @@ apt_install_postgresql_pkgs: false apt_postgresql_pkgs: - postgresql -apt_install_bind9_packages: false -apt_bind9_pkgs: +install_bind_packages: false +apt_bind_pkgs: - bind9 -apt_install_lxc_host_pkgs: false +yum_bind_pks: + - bind + + +install_lxc_host_pkgs: false apt_lxc_host_pkgs: - bridge-utils - lxc @@ -854,7 +858,16 @@ apt_lxc_host_pkgs: - debootstrap - ntp -apt_install_kvm_host_pkgs: false +yum_lxc_host_pkgs: + - bridge-utils + - lxc + - lxc-templates + - python36-lxc + - debootstrap + - ntp + + +install_kvm_host_pkgs: false apt_kvm_host_pkgs: - lvm2 - bridge-utils @@ -893,6 +906,136 @@ microcode_package: - amd64-microcode +# --- +# vars used by yum.yml +# --- + +yum_install_state: latest + +yum_ansible_dependencies: + - ca-certificates + - dbus + - redhat-lsb-core + - mc + - net-tools + - openssl + - python3 + - sudo + - vim + +yum_base_install_centos_7: + - redhat-lsb-core + - ca-certificates + - git + - iproute + - mc + - net-tools + - bind-utils + - openssl + - python2 + - python3 + - sudo + - vim + - yum-utils + +yum_initial_install_centos_7: + - cryptsetup + - dbus + - openssh-server + - bash + - bash-completion + - vim + - vim-common + - mc + - screen + - tmux + - cronie + - bc + - figlet + - sudo + - rsync + - dselect + - iputils + - zip + - unzip + - bzip2 + - arj + - mlocate + - curl + - gawk + - mawk + - lynx + - links + - w3m + - ctags + - file + - coreutils + - moreutils + - less + - sipcalc + - psmisc + - whois + - gettext + - gettext-devel + - debian-keyring + - patch + - patchutils + - recode + - recode-devel + - sharutils + - perl + - perl-devel + - readline + - readline-devel + - libtermkey + - libtermkey-devel + - perl-Time-Duration-Parse + - perl-DateTime + - perl-libwww-perl + - pcre + - pcre2 + - perl-IO-Compress + - re2c + - util-linux + - parted + - lshw + - gdisk + - smartmontools + - tcpdump + - telnet + - unhide + - lsof + - hdparm + - groff + - bridge-utils + - ethtool + - nwipe + - iperf + - mtr + - iptraf + - wget + - logrotate + - rsyslog + - haveged + - rdate + - ntpdate + - man + - groff + - iptables + - ShellCheck + - ftp + - htop + - net-tools + - attr + - acl + - quota + - quotatool + - needrestart + - socat + - zsh + - lua + - btrfs-progs + # --- # vars used by tor.yml # --- @@ -1893,6 +2036,33 @@ samba_cronjob_permissions: job: "/root/bin/samba/set_permissions_samba_shares.sh" +# ========== +# vars used by roles/common/tasks/systemd-services.yml +# ========== + +# Take care that if these services are installed, they are running and +# start automatically after boot. +# +debian_services_active_and_started: + - bind + - cron + - haveged + - ntp + - redis-server + - ssh + - tor + +redhat_services_active_and_started: + - crond + - haveged + - named + - ntpd + - redis + - sshd + - tor + + + # ============================== diff --git a/group_vars/caching_nameserver.yml b/group_vars/caching_nameserver.yml index 8f6b972..6072ca7 100644 --- a/group_vars/caching_nameserver.yml +++ b/group_vars/caching_nameserver.yml @@ -51,7 +51,7 @@ # vars used by roles/common/tasks/caching-nameserver.yml # --- -apt_install_bind9_packages: true +install_bind_packages: true # --- diff --git a/group_vars/caching_nameserver.yml.bak b/group_vars/caching_nameserver.yml.bak new file mode 100644 index 0000000..8f6b972 --- /dev/null +++ b/group_vars/caching_nameserver.yml.bak @@ -0,0 +1,70 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + +apt_install_bind9_packages: true + + +# --- +# vars used by roles/common/tasks/git.yml +# --- +# +# see: roles/common/tasks/vars + + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + diff --git a/host_vars/172.16.162.89.yml b/host_vars/172.16.162.89.yml index 0bbc7f5..d8bf42c 100644 --- a/host_vars/172.16.162.89.yml +++ b/host_vars/172.16.162.89.yml @@ -223,7 +223,7 @@ sudo_users: # vars used by roles/common/tasks/caching-nameserver.yml # --- -apt_install_bind9_packages: true +install_bind_packages: true bind9_gateway_acl: - local-net: diff --git a/host_vars/172.16.63.32.yml b/host_vars/172.16.63.32.yml index c991420..e8c620e 100644 --- a/host_vars/172.16.63.32.yml +++ b/host_vars/172.16.63.32.yml @@ -91,7 +91,7 @@ sudo_users: # vars used by roles/common/tasks/caching-nameserver.yml # --- -apt_install_bind9_packages: true +install_bind_packages: true # --- # vars used by roles/common/tasks/git.yml diff --git a/host_vars/file-blkr.blkr.netz.yml b/host_vars/file-blkr.blkr.netz.yml index cb81496..70c9ef4 100644 --- a/host_vars/file-blkr.blkr.netz.yml +++ b/host_vars/file-blkr.blkr.netz.yml @@ -222,6 +222,10 @@ samba_user: - buero - verwaltung password: 'fx9j/3X-thPr' + - name: julius-e + groups: + - buero + password: '2/kcx3jju-tr' - name: leonie groups: - buero diff --git a/host_vars/file-fhxb.fhxb.netz.yml b/host_vars/file-fhxb.fhxb.netz.yml index c291998..0ab2707 100644 --- a/host_vars/file-fhxb.fhxb.netz.yml +++ b/host_vars/file-fhxb.fhxb.netz.yml @@ -253,6 +253,9 @@ samba_groups: - name: altlasten group_id: 1510 + - name: administration + group_id: 1610 + samba_user: @@ -463,6 +466,7 @@ samba_user: # Heike Müller - name : h.mueller groups: + - administration - buero - team password: 'VT7/n5hHy-Av' @@ -470,6 +474,7 @@ samba_user: # Jana König - name : j.koenig groups: + - administration - archiv - ausstellungen - buero @@ -493,6 +498,7 @@ samba_user: # Jorinde Splettstößer - name : j.splettstoesser groups: + - administration - archiv - ausstellungen - buero @@ -517,6 +523,7 @@ samba_user: # Natalie Bayer - name : n.bayer groups: + - administration - altlasten - archiv - ausstellungen @@ -651,6 +658,15 @@ remove_samba_users: samba_shares: + - name: Administration + comment: Administration auf Fileserver + path: /data/samba/FHXB-Server/Administration + group_valid_users: administration + group_write_list: administration + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + - name: Altlasten comment: Altlasten auf Fileserver path: /data/samba/FHXB-Server/Altlasten diff --git a/host_vars/ga-al-gw.oopen.de.yml b/host_vars/ga-al-gw.oopen.de.yml index 2e6b5b5..236097d 100644 --- a/host_vars/ga-al-gw.oopen.de.yml +++ b/host_vars/ga-al-gw.oopen.de.yml @@ -339,7 +339,7 @@ sudo_users: # vars used by roles/common/tasks/caching-nameserver.yml # --- -apt_install_bind9_packages: true +install_bind_packages: true bind9_gateway_acl: diff --git a/host_vars/ga-nh-gw.oopen.de.yml b/host_vars/ga-nh-gw.oopen.de.yml index 7bc1964..7ad4c9e 100644 --- a/host_vars/ga-nh-gw.oopen.de.yml +++ b/host_vars/ga-nh-gw.oopen.de.yml @@ -215,7 +215,7 @@ sudo_users: # vars used by roles/common/tasks/caching-nameserver.yml # --- -apt_install_bind9_packages: true +install_bind_packages: true bind9_gateway_acl: - local-net: diff --git a/host_vars/ga-st-gw-ersatz.ga.netz.yml b/host_vars/ga-st-gw-ersatz.ga.netz.yml index 3584b20..45e6e8b 100644 --- a/host_vars/ga-st-gw-ersatz.ga.netz.yml +++ b/host_vars/ga-st-gw-ersatz.ga.netz.yml @@ -150,7 +150,7 @@ sudo_users: # vars used by roles/common/tasks/caching-nameserver.yml # --- -apt_install_bind9_packages: true +install_bind_packages: true bind9_gateway_acl: - local-net: diff --git a/host_vars/ga-st-gw.oopen.de.yml b/host_vars/ga-st-gw.oopen.de.yml index 2b3223e..3c4bfba 100644 --- a/host_vars/ga-st-gw.oopen.de.yml +++ b/host_vars/ga-st-gw.oopen.de.yml @@ -385,7 +385,7 @@ sudo_users: # vars used by roles/common/tasks/caching-nameserver.yml # --- -apt_install_bind9_packages: true +install_bind_packages: true bind9_gateway_acl: - local-net: diff --git a/host_vars/gw-123.oopen.de.yml b/host_vars/gw-123.oopen.de.yml index f8f5070..eef8b5c 100644 --- a/host_vars/gw-123.oopen.de.yml +++ b/host_vars/gw-123.oopen.de.yml @@ -101,7 +101,7 @@ sudo_users: # vars used by roles/common/tasks/caching-nameserver.yml # --- -apt_install_bind9_packages: true +install_bind_packages: true bind9_gateway_listen_on_v6: - none diff --git a/host_vars/gw-ah.oopen.de.yml b/host_vars/gw-ah.oopen.de.yml index ec21fc2..771ca47 100644 --- a/host_vars/gw-ah.oopen.de.yml +++ b/host_vars/gw-ah.oopen.de.yml @@ -114,7 +114,7 @@ sudo_users: # vars used by roles/common/tasks/caching-nameserver.yml # --- -apt_install_bind9_packages: true +install_bind_packages: true bind9_gateway_acl: diff --git a/host_vars/gw-blkr.oopen.de.yml b/host_vars/gw-blkr.oopen.de.yml index b974ce6..b4d0c61 100644 --- a/host_vars/gw-blkr.oopen.de.yml +++ b/host_vars/gw-blkr.oopen.de.yml @@ -224,7 +224,7 @@ sudo_users: # vars used by roles/common/tasks/caching-nameserver.yml # --- -apt_install_bind9_packages: true +install_bind_packages: true bind9_gateway_acl: - local-net: diff --git a/host_vars/gw-ckubu.local.netz.yml b/host_vars/gw-ckubu.local.netz.yml index 20b1c89..044711f 100644 --- a/host_vars/gw-ckubu.local.netz.yml +++ b/host_vars/gw-ckubu.local.netz.yml @@ -91,7 +91,7 @@ sudo_users: # vars used by roles/common/tasks/caching-nameserver.yml # --- -apt_install_bind9_packages: true +install_bind_packages: true bind9_gateway_listen_on_v6: - none diff --git a/host_vars/gw-ebs.oopen.de.yml b/host_vars/gw-ebs.oopen.de.yml index 0e80d80..e05552a 100644 --- a/host_vars/gw-ebs.oopen.de.yml +++ b/host_vars/gw-ebs.oopen.de.yml @@ -165,7 +165,7 @@ sudo_users: # vars used by roles/common/tasks/caching-nameserver.yml # --- -apt_install_bind9_packages: true +install_bind_packages: true bind9_gateway_acl: diff --git a/host_vars/gw-elster.oopen.de.yml b/host_vars/gw-elster.oopen.de.yml index 4c6de69..85eb3a6 100644 --- a/host_vars/gw-elster.oopen.de.yml +++ b/host_vars/gw-elster.oopen.de.yml @@ -219,7 +219,7 @@ sudo_users: # vars used by roles/common/tasks/caching-nameserver.yml # --- -apt_install_bind9_packages: true +install_bind_packages: true bind9_gateway_acl: - local-net: diff --git a/host_vars/gw-flr.oopen.de.yml b/host_vars/gw-flr.oopen.de.yml index c54578b..d0e85e1 100644 --- a/host_vars/gw-flr.oopen.de.yml +++ b/host_vars/gw-flr.oopen.de.yml @@ -218,7 +218,7 @@ sudo_users: # vars used by roles/common/tasks/caching-nameserver.yml # --- -apt_install_bind9_packages: true +install_bind_packages: true # --- diff --git a/host_vars/mail-neu.cadus.org.yml b/host_vars/mail-neu.cadus.org.yml index 2ee07cc..e5a8e11 100644 --- a/host_vars/mail-neu.cadus.org.yml +++ b/host_vars/mail-neu.cadus.org.yml @@ -150,10 +150,10 @@ copy_plain_files_postfwd_host_specific: # --- hostname: mail.cadus.org -ipv4_address: 46.4.25.245 -ipv6_address: 2a01:4f8:221:3b4e::245 +ipv4_address: 135.181.22.153 +ipv6_address: 2a01:4f9:4b:46d1::153 -admin_email: admin@cadus.org +admin_email: it@cadus.org is_relay_host: !!str "false" db_in_use: !!str "true" @@ -165,6 +165,7 @@ postfix_db_name: postfix postfix_db_user: postfix #postfix_db_host: postfix_db_pass: T3CJnFMJNX9wmhNs +mysql_credentials: !!str "-u root -S /run/mysqld/mysqld.sock" # install_amavis.conf # diff --git a/host_vars/mail.cadus.org.yml b/host_vars/mail.cadus.org.yml index 2ee07cc..30bd935 100644 --- a/host_vars/mail.cadus.org.yml +++ b/host_vars/mail.cadus.org.yml @@ -150,8 +150,8 @@ copy_plain_files_postfwd_host_specific: # --- hostname: mail.cadus.org -ipv4_address: 46.4.25.245 -ipv6_address: 2a01:4f8:221:3b4e::245 +ipv4_address: 135.181.22.153 +ipv6_address: 2a01:4f9:4b:46d1::153 admin_email: admin@cadus.org is_relay_host: !!str "false" diff --git a/host_vars/o17.oopen.de.yml b/host_vars/o17.oopen.de.yml index 067e31a..436c469 100644 --- a/host_vars/o17.oopen.de.yml +++ b/host_vars/o17.oopen.de.yml @@ -307,7 +307,7 @@ samba_user: - buero - intern - verwaltung - password: + password: '20-buch_holz-20' - name: schmidt groups: - intern @@ -360,15 +360,15 @@ samba_shares: guest_ok: !!str no browseable: !!str no valid_users: '%S' - file_create_mask: '600' - dir_create_mask: '700' + file_create_mask: !!str 600 + dir_create_mask: !!str 700 - name: Buero path: /data/samba/shares/Buero group_valid_users: intern group_write_list: intern - file_create_mask: 664 - dir_create_mask: 2775 + file_create_mask: !!str 664 + dir_create_mask: !!str 2775 vfs_object_recycle: true recycle_path: recycle @@ -376,8 +376,8 @@ samba_shares: path: /data/samba/shares/Verwaltung group_valid_users: verwaltung group_write_list: verwaltung - file_create_mask: 660 - dir_create_mask: 2770 + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 vfs_object_recycle: true recycle_path: recycle @@ -385,8 +385,8 @@ samba_shares: path: /data/samba/shares/Scans_schnell group_valid_users: intern group_write_list: intern - file_create_mask: '664' - dir_create_mask: 2775 + file_create_mask: !!str 664 + dir_create_mask: !!str 2775 vfs_object_recycle: true recycle_path: recycle @@ -394,8 +394,8 @@ samba_shares: path: /data/samba/shares/Hoffmann-Elberling group_valid_users: hoffmann-elberling group_write_list: hoffmann-elberling - file_create_mask: '664' - dir_create_mask: 2775 + file_create_mask: !!str 664 + dir_create_mask: !!str 2775 vfs_object_recycle: true recycle_path: recycle @@ -403,8 +403,8 @@ samba_shares: path: /data/samba/shares/Gubitz-Partner group_valid_users: gubitz-partner group_write_list: gubitz-partner - file_create_mask: '664' - dir_create_mask: 2775 + file_create_mask: !!str 664 + dir_create_mask: !!str 2775 vfs_object_recycle: true recycle_path: recycle @@ -412,8 +412,8 @@ samba_shares: path: /data/samba/shares/Gubitz-Backup group_valid_users: gubitz group_write_list: gubitz - file_create_mask: 660 - dir_create_mask: 2770 + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 vfs_object_recycle: true recycle_path: recycle @@ -422,8 +422,8 @@ samba_shares: path: /data/samba/shares/WinServer2016-Backup group_valid_users: {} group_write_list: {} - file_create_mask: 664 - dir_create_mask: 2775 + file_create_mask: !!str 664 + dir_create_mask: !!str 2775 guest_ok: !!str yes vfs_object_recycle: true recycle_path: {} @@ -433,8 +433,8 @@ samba_shares: path: /data/samba/shares/Advoware-Backup group_valid_users: back group_write_list: back - file_create_mask: 664 - dir_create_mask: 2775 + file_create_mask: !!str 664 + dir_create_mask: !!str 2775 guest_ok: !!str yes vfs_object_recycle: true diff --git a/host_vars/zapata.opp.netz.yml b/host_vars/zapata.opp.netz.yml index 506b18d..ce514f7 100644 --- a/host_vars/zapata.opp.netz.yml +++ b/host_vars/zapata.opp.netz.yml @@ -198,6 +198,12 @@ samba_user: - beratung password: 'D1dPWdPvopp4!' + - name: anika + groups: + - buero + - beratung + password: '4n1k4*adb_23' + - name: anna groups: - buero @@ -475,7 +481,7 @@ samba_shares: writeable: !!str no guest_ok: !!str no file_create_mask: !!str 0664 - dir_create_mask: !!str 2775 + dir_create_mask: !!str 0755 vfs_object_recycle: false diff --git a/hosts b/hosts index e4aedf7..b1e6d8e 100644 --- a/hosts +++ b/hosts @@ -9,6 +9,10 @@ #schleuder3.so36.net ansible_user=ckubu #site36.net ansible_user=ckubu #web.so36.net ansible_user=ckubu +[so36_server] + +#kvm05.so36.net ansible_ssh_user=ckubu ansible_ssh_port=1036 +#kvm13.so36.net ansible_ssh_user=ckubu ansible_ssh_port=1036 [dns_sinma] @@ -52,6 +56,9 @@ gw-replacement.local.netz gw-replacement2.local.netz gw-replacement3.local.netz +kvm-ipa.local.netz +file-ipa.local.netz + k1371.dyndns.org ga-st-gw-ersatz.ga.netz @@ -124,8 +131,8 @@ o20.oopen.de o21.oopen.de o31.oopen.de mail.cadus.org -mail-neu.cadus.org web.cadus.org +wiki.cadus.org o22.oopen.de oolm-db.oopen.de @@ -199,7 +206,6 @@ lxc-host-kb.anw-kb.netz [initial_setup] - # --- # - Warenform Server # --- @@ -278,8 +284,8 @@ o20.oopen.de o21.oopen.de o31.oopen.de mail.cadus.org -mail-neu.cadus.org web.cadus.org +wiki.cadus.org # - o22.oopen.de o22.oopen.de @@ -367,6 +373,9 @@ gw-replacement.local.netz gw-replacement2.local.netz gw-replacement3.local.netz +kvm-ipa.local.netz +file-ipa.local.netz + # 123Comics gw-123.oopen.de @@ -455,7 +464,6 @@ devel-php.wf.netz devel-todo.wf.netz devel-wiki.wf.netz - [apache2_webserver] # --- @@ -485,8 +493,8 @@ o20.oopen.de # o21.oopen.de # o31.oopen.de web.cadus.org +wiki.cadus.org mail.cadus.org -mail-neu.cadus.org # o22.oopen.de oolm-shop-dev.oopen.de @@ -531,6 +539,8 @@ cl-test.oopen.de # O.OPEN office network # --- +file-ipa.local.netz + # - GA - Gemeinschaft Altensclirf ga-st-mail.ga.netz ga-al-ws1.ga.netz @@ -643,6 +653,9 @@ o26.oopen.de # o30.oopen.de - AK Server Nextcloud/Jitsi Meet meet.akweb.de +# o31.oopen.de +wiki.cadus.org + # etventure o32.oopen.de @@ -678,6 +691,7 @@ o13-web.oopen.de # o21.oopen.de # o31.oopen.de web.cadus.org +wiki.cadus.org # o20.oopen.de (srv-cityslang.cityslang.com) o20.oopen.de @@ -728,7 +742,6 @@ test.mx.oopen.de # o21.oopen.de # o31.oopen.de mail.cadus.org -mail-neu.cadus.org # o27.oopen.de mail.faire-mobilitaet.de @@ -757,6 +770,12 @@ ga-st-mail.ga.netz mx.warenform.de lists.mx.warenform.de +# --- +# so36.net +# --- + +#rage.so36.net ansible_ssh_user=ckubu ansible_ssh_port=1036 + [sympa_list_server] @@ -833,8 +852,8 @@ o20.oopen.de # o21.oopen.de web.cadus.org +wiki.cadus.org mail.cadus.org -mail-neu.cadus.org # o22.oopen.de oolm-db-dev.oopen.de @@ -992,7 +1011,6 @@ nscache.oopen.de # o21.oopen.de # o31.oopen.de mail.cadus.org -mail-neu.cadus.org o22.oopen.de @@ -1014,6 +1032,8 @@ b.mx.oopen.de # - GA - Gemeinschaft Altensclirf ga-st-mail.ga.netz +file-ipa.local.netz + # --- # Warenform @@ -1161,6 +1181,8 @@ lxc-host-kb.anw-kb.netz # O.OPEN office network # --- +file-ipa.local.netz + bbb-server.b3-bornim.netz file-ah.kanzlei-kiel.netz file-km.anw-km.netz @@ -1218,8 +1240,8 @@ meet2.oopen.de # - o21.oopen.de # - o31.oopen.de mail.cadus.org -mail-neu.cadus.org web.cadus.org +wiki.cadus.org # - o22.oopen.de oolm-db.oopen.de @@ -1385,8 +1407,8 @@ o20.oopen.de o21.oopen.de o31.oopen.de mail.cadus.org -mail-neu.cadus.org web.cadus.org +wiki.cadus.org # - o22.oopen.de o22.oopen.de diff --git a/roles/ansible_dependencies-centos-7/tasks/main.yml b/roles/ansible_dependencies-centos-7/tasks/main.yml new file mode 100644 index 0000000..5008165 --- /dev/null +++ b/roles/ansible_dependencies-centos-7/tasks/main.yml @@ -0,0 +1,24 @@ +--- + +- name: (ansible_dependencies-centos-7) System updates + yum: + name: '*' + state: latest + update_cache: yes + #cache_valid_time: 3600 + tags: + - yum-update + +- name: Ensure python2 is present (This is necessary for ansible to work properly) + raw: test -e /usr/bin/python2 || (yum -y install python2) + +- name: Ensure python3 is present (This is necessary for ansible to work properly) + raw: test -e /usr/bin/python3 || (yum install -y python3) + +- name: yum install ansible dependencies + yum: + name: "{{ yum_ansible_dependencies }}" + state: "{{ yum_install_state }}" + tags: + - ansible-dependencies + diff --git a/roles/ansible_user_centos/tasks/main.yml b/roles/ansible_user_centos/tasks/main.yml new file mode 100644 index 0000000..bf7ea64 --- /dev/null +++ b/roles/ansible_user_centos/tasks/main.yml @@ -0,0 +1,35 @@ +--- + +- name: Ensure remote users for ansible exists + user: + name: '{{ item.name }}' + state: present + uid: '{{ item.user_id | default(omit) }}' + #group: '{{ item.name | default(omit) }}' + shell: '{{ item.shell|d("/bin/bash") }}' + password: "{{ item.password }}" + update_password: on_create + with_items: '{{ ansible_remote_user }}' + tags: + - ansible-remote-user + +- name: Ensure ansible user is part of sudo group + user: + name: "{{ item.name }}" + groups: wheel + append: yes + with_items: "{{ ansible_remote_user }}" + tags: + - sudo-users + +- name: Ensure authorized_key files are present + authorized_key: + user: "{{ item.0.name }}" + key: "{{ item.1 }}" + state: present + with_subelements: + - '{{ ansible_remote_user }}' + - ssh_keys + tags: + - authorized_key + diff --git a/roles/ansible_user/tasks/main.yml b/roles/ansible_user_debian/tasks/main.yml similarity index 100% rename from roles/ansible_user/tasks/main.yml rename to roles/ansible_user_debian/tasks/main.yml diff --git a/roles/common/files/a.mx/root/bin/monitoring/conf/check_webservice_load.conf b/roles/common/files/a.mx/root/bin/monitoring/conf/check_webservice_load.conf index c215918..2d24a4a 100644 --- a/roles/common/files/a.mx/root/bin/monitoring/conf/check_webservice_load.conf +++ b/roles/common/files/a.mx/root/bin/monitoring/conf/check_webservice_load.conf @@ -62,7 +62,7 @@ curl_check_host=127.0.0.1 # - Example: # - php_versions="5.4 5.6 7.0 7.1" # - -php_versions="7.4" +php_versions="8.1" # - If PHP-FPM's ping.path setting does not match ping-$php_major_version, # - set the value given in your ping.path setting here. Give ping_path also diff --git a/roles/common/files/c.mx/root/bin/monitoring/conf/check_webservice_load.conf b/roles/common/files/c.mx/root/bin/monitoring/conf/check_webservice_load.conf index ae4314a..0cbc7e6 100644 --- a/roles/common/files/c.mx/root/bin/monitoring/conf/check_webservice_load.conf +++ b/roles/common/files/c.mx/root/bin/monitoring/conf/check_webservice_load.conf @@ -74,7 +74,7 @@ check_website=false # - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) # - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" # - -mysql_credential_args="--login-path=local" +mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" # - Additional Settings for check_php_fpm @@ -93,7 +93,7 @@ curl_check_host=127.0.0.1 # - Example: # - php_versions="5.4 5.6 7.0 7.1" # - -php_versions="7.4" +php_versions="8.1" # - If PHP-FPM's ping.path setting does not match ping-$php_major_version, # - set the value given in your ping.path setting here. Give ping_path also diff --git a/roles/common/files/e.mx/root/bin/monitoring/conf/check_webservice_load.conf b/roles/common/files/e.mx/root/bin/monitoring/conf/check_webservice_load.conf index d3520b1..88a86a4 100644 --- a/roles/common/files/e.mx/root/bin/monitoring/conf/check_webservice_load.conf +++ b/roles/common/files/e.mx/root/bin/monitoring/conf/check_webservice_load.conf @@ -62,7 +62,7 @@ curl_check_host=127.0.0.1 # - Example: # - php_versions="5.4 5.6 7.0 7.1" # - -php_versions="7.4" +php_versions="8.1" # - If PHP-FPM's ping.path setting does not match ping-$php_major_version, # - set the value given in your ping.path setting here. Give ping_path also diff --git a/roles/common/files/ga-st-mail/root/bin/monitoring/conf/check_webservice_load.conf b/roles/common/files/ga-st-mail/root/bin/monitoring/conf/check_webservice_load.conf index ceb5d81..c97f45e 100644 --- a/roles/common/files/ga-st-mail/root/bin/monitoring/conf/check_webservice_load.conf +++ b/roles/common/files/ga-st-mail/root/bin/monitoring/conf/check_webservice_load.conf @@ -93,7 +93,7 @@ curl_check_host=127.0.0.1 # - Example: # - php_versions="5.4 5.6 7.0 7.1" # - -php_versions="7.4" +php_versions="8.1" # - If PHP-FPM's ping.path setting does not match ping-$php_major_version, # - set the value given in your ping.path setting here. Give ping_path also diff --git a/roles/common/files/mail.cadus/root/bin/monitoring/conf/check_webservice_load.conf b/roles/common/files/mail.cadus/root/bin/monitoring/conf/check_webservice_load.conf index ae4314a..0cbc7e6 100644 --- a/roles/common/files/mail.cadus/root/bin/monitoring/conf/check_webservice_load.conf +++ b/roles/common/files/mail.cadus/root/bin/monitoring/conf/check_webservice_load.conf @@ -74,7 +74,7 @@ check_website=false # - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) # - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" # - -mysql_credential_args="--login-path=local" +mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" # - Additional Settings for check_php_fpm @@ -93,7 +93,7 @@ curl_check_host=127.0.0.1 # - Example: # - php_versions="5.4 5.6 7.0 7.1" # - -php_versions="7.4" +php_versions="8.1" # - If PHP-FPM's ping.path setting does not match ping-$php_major_version, # - set the value given in your ping.path setting here. Give ping_path also diff --git a/roles/common/files/mail.faire-mobilitaet/root/bin/monitoring/conf/check_webservice_load.conf b/roles/common/files/mail.faire-mobilitaet/root/bin/monitoring/conf/check_webservice_load.conf index c152dce..5fc73c4 100644 --- a/roles/common/files/mail.faire-mobilitaet/root/bin/monitoring/conf/check_webservice_load.conf +++ b/roles/common/files/mail.faire-mobilitaet/root/bin/monitoring/conf/check_webservice_load.conf @@ -93,7 +93,7 @@ curl_check_host=127.0.0.1 # - Example: # - php_versions="5.4 5.6 7.0 7.1" # - -php_versions="7.4" +php_versions="8.1" # - If PHP-FPM's ping.path setting does not match ping-$php_major_version, # - set the value given in your ping.path setting here. Give ping_path also diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts b/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts index f54a8b1..77bcedb 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts @@ -70,3 +70,9 @@ convinceandconvert\.com$ thelargest\.homes$ eamyobai\.cfd$ countryfields\.ca$ +urgencypasture\.shop$ +detectivecomics\.net$ +bell\.net$ +beheshtfoundation\.com$ +tohochina\.com$ +mailer-service\.de$ diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets b/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets index ebd919b..1e7f476 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets @@ -133,3 +133,16 @@ 103.114.162.0/24 # US (u.a.versender50.com) 204.152.197.0/24 +# US (u.a.vs-dienst.com) +45.134.11.0/24 +212.83.56.0/24 +# US ( u.a. urgencypasture.shop) +194.87.84.0/24 +# US ( u.a. dkdirekt.com) +64.188.1.176/28 +# CA (Canada) (u.a. bell.net) +209.71.192.0/18 +# HU (u.a. beheshtfoundation.com) +83.137.158.0/24 +# US (u.a. josephraffael.com / auftrag@v-markt-direkt.com) +64.188.4.0/22 diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender b/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender index 098bfae..0b32035 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender @@ -92,4 +92,13 @@ firmen-infos\.com$ ^info@webmeinung\.de$ ^info@handel-versand\.com$ ^order@direktversender\.net$ -versender.*.com$ +versender.*\.com$ +vs-dienst\.com$ +urgencypasture\.shop$ +dkdirekt\.com$ +nb\.sympatico\.ca$ +beheshtfoundation\.com$ +josephraffael\.com$ +v-markt-direkt\.com$ +mailer-service\.de$ +swissad\.biz$ diff --git a/roles/common/files/mx.warenform/root/bin/monitoring/conf/check_webservice_load.conf b/roles/common/files/mx.warenform/root/bin/monitoring/conf/check_webservice_load.conf index 8c95328..2b9827b 100644 --- a/roles/common/files/mx.warenform/root/bin/monitoring/conf/check_webservice_load.conf +++ b/roles/common/files/mx.warenform/root/bin/monitoring/conf/check_webservice_load.conf @@ -69,7 +69,7 @@ curl_check_host=127.0.0.1 # - Example: # - php_versions="5.4 5.6 7.0 7.1" # - -php_versions="7.4" +php_versions="8.1" # - If PHP-FPM's ping.path setting does not match ping-$php_major_version, # - set the value given in your ping.path setting here. Give ping_path also diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 9f5f9c4..60a2fd4 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -63,8 +63,10 @@ state: restarted - name: Restart redis-server + vars: + _daemon: "{{ 'redis' if ansible_distribution == 'CentOS' else 'redis-server' }}" service: - name: redis-server + name: "{{ _daemon }}" state: restarted - name: Restart tor service diff --git a/roles/common/tasks/basic.yml b/roles/common/tasks/basic.yml index 1154441..103fc9d 100644 --- a/roles/common/tasks/basic.yml +++ b/roles/common/tasks/basic.yml @@ -11,6 +11,8 @@ name: "{{ item }}" state: present with_items: "{{ locales }}" + when: + - ansible_facts['distribution'] == "Debian" tags: - locales @@ -150,28 +152,38 @@ - name: (basic.yml) install unattended-upgrades apt: pkg=unattended-upgrades state=present + when: + - ansible_facts['distribution'] == "Debian" tags: - unattended-upgrades - name: (basic.yml) install apt-listchanges apt: pkg=apt-listchanges state=present + when: + - ansible_facts['distribution'] == "Debian" tags: - unattended-upgrades - name: (basic.yml) remove apticron apt: pkg=apticron state=absent + when: + - ansible_facts['distribution'] == "Debian" tags: - unattended-upgrades - name: (basic.yml) check if /etc/apt/apt.conf.d/20auto-upgrades exists stat: path=/etc/apt/apt.conf.d/20auto-upgrades register: ua_enabled + when: + - ansible_facts['distribution'] == "Debian" tags: - unattended-upgrades - name: (basic.yml) activate unattended upgrades shell: DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true dpkg-reconfigure -plow unattended-upgrades - when: ua_enabled.stat.exists == False + when: + - ansible_facts['distribution'] == "Debian" + - ua_enabled.stat.exists == False tags: - unattended-upgrades @@ -182,6 +194,8 @@ owner: root group: root mode: 0644 + when: + - ansible_facts['distribution'] == "Debian" tags: - unattended-upgrades @@ -193,5 +207,7 @@ owner: root group: root mode: 0644 + when: + - ansible_facts['distribution'] == "Debian" tags: - unattended-upgrades diff --git a/roles/common/tasks/caching-nameserver.yml b/roles/common/tasks/caching-nameserver.yml index e4ffe7e..82da4ba 100644 --- a/roles/common/tasks/caching-nameserver.yml +++ b/roles/common/tasks/caching-nameserver.yml @@ -1,11 +1,17 @@ --- +# --- +# Install 'bind' apt based OS +# --- + - name: (caching-nameserver.yml) update apt: update_cache: true cache_valid_time: "{{ 0 if apt_config_updated is defined and apt_config_updated.changed else apt_update_cache_valid_time }}" - when: apt_update|bool + when: + - ansible_distribution == "Debian" + - apt_update|bool tags: - apt-caching-nameserver @@ -17,7 +23,9 @@ warn: false changed_when: _dpkg_configure.stdout_lines | length register: _dpkg_configure - when: apt_dpkg_configure|bool + when: + - ansible_distribution == "Debian" + - apt_update|bool tags: - apt-caching-nameserver @@ -27,19 +35,52 @@ upgrade: "{{ apt_upgrade_type }}" update_cache: true dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}" - when: apt_upgrade|bool + when: + - ansible_distribution == "Debian" + - apt_dpkg_configure|bool tags: - apt-caching-nameserver -- name: (caching-nameserver.yml) Install bind9 packages +- name: (caching-nameserver.yml) Install bind packages (using apt) apt: - name: "{{ apt_bind9_pkgs }}" + name: "{{ apt_bind_pkgs }}" state: present - when: apt_install_bind9_packages|bool == true + when: + - ansible_distribution == "Debian" + - install_bind_packages|bool == true tags: - apt-caching-nameserver +# --- +# Install 'bind' - yum based OS +# --- + +- name: (yum.yml) Install system updates for centos systems + yum: + name: '*' + state: latest + update_cache: yes + #cache_valid_time: 3600 + when: + - ansible_os_family == "RedHat" + - ansible_distribution == "CentOS" + tags: + - yum-update + +- name: (yum.yml) Install bind packages (using yum) + yum: + name: "{{ yum_bind_pks }}" + state: "{{ yum_install_state }}" + when: + - ansible_os_family == "RedHat" + - ansible_distribution == "CentOS" + tags: + - yum-caching-nameserver + +# --- +# Configure bind on debian systems +# -- - name: (caching-nameserver.yml) Create directory /var/log/named if it does not exist file: @@ -48,6 +89,8 @@ owner: bind group: bind mode: '0755' + when: + - ansible_distribution == "Debian" - name: (caching-nameserver.yml) update named.conf.options configuration file (normal server) @@ -64,6 +107,7 @@ - apt-caching-nameserver - caching-nameserver when: + - ansible_distribution == "Debian" - inventory_hostname not in groups["gateway_server"] # -------------------- @@ -89,6 +133,7 @@ - apt-caching-nameserver - caching-nameserver when: + - ansible_distribution == "Debian" - inventory_hostname in groups["gateway_server"] # - not file_named_conf_options.stat.exists @@ -107,4 +152,6 @@ mode: '0644' tags: - apt-caching-nameserver + when: + - ansible_distribution == "Debian" diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 36d271d..7ba64fc 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -26,11 +26,26 @@ # apt-autoremove # apt-clean - import_tasks: apt.yml + when: + - ansible_facts['distribution'] == "Debian" tags: apt +# +# yum-update +# yum-base-install +# yum-initial-install +- import_tasks: yum.yml + when: + - ansible_os_family == "RedHat" + - ansible_distribution == "CentOS" + tags: yum + + - import_tasks: tor.yml - when: inventory_hostname in groups['mail_server'] + when: + - inventory_hostname in groups['mail_server'] + - ansible_facts['distribution'] == "Debian" tags: - tor-service @@ -44,6 +59,8 @@ # zsh-config # - import_tasks: shell.yml + when: + - ansible_facts['distribution'] == "Debian" tags: - shell-config - vim-config @@ -208,7 +225,23 @@ # tags supportetd inside caching-nameserver.yml # # apt-caching-nameserver +# yum-caching-nameserver +# - import_tasks: caching-nameserver.yml when: groups['caching_nameserver']|string is search(inventory_hostname) tags: caching-nameserver + +- import_tasks: systemd-services_debian_based_OS.yml + when: + - ansible_os_family == "Debian" + tags: + - services + + +- import_tasks: systemd-services_redhat_based_OS.yml + when: + - ansible_os_family == "RedHat" + tags: + - services + diff --git a/roles/common/tasks/redis-server.yml b/roles/common/tasks/redis-server.yml index c50daf9..fb6fcda 100644 --- a/roles/common/tasks/redis-server.yml +++ b/roles/common/tasks/redis-server.yml @@ -1,11 +1,17 @@ --- +- name: (redis-server.yml) Set var '_redis_conf' + set_fact: + _redis_conf: "{{ '/etc/redis.conf' if ansible_distribution == 'CentOS' else '/etc/redis/redis.conf' }}" + - name: (redis-server.yml) update apt: update_cache: true cache_valid_time: "{{ 0 if apt_config_updated is defined and apt_config_updated.changed else apt_update_cache_valid_time }}" - when: apt_update|bool + when: + - ansible_facts['distribution'] == "Debian" + - apt_update|bool tags: - redis-server @@ -17,7 +23,9 @@ warn: false changed_when: _dpkg_configure.stdout_lines | length register: _dpkg_configure - when: apt_dpkg_configure|bool + when: + - ansible_facts['distribution'] == "Debian" + - apt_update|bool tags: - redis-server @@ -27,15 +35,30 @@ upgrade: "{{ apt_upgrade_type }}" update_cache: true dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}" - when: apt_upgrade|bool + when: + - ansible_facts['distribution'] == "Debian" + - apt_upgrade|bool tags: - redis-server -- name: (redis-server.yml) Install redis-server packages +- name: (redis-server.yml) Install redis-server packages (debian system) apt: name: redis-server state: present + when: + - ansible_facts['distribution'] == "Debian" + tags: + - redis-server + +- name: (redis-server.yml) Install redis packages (centos system) + yum: + name: redis + state: latest + update_cache: yes + when: + - ansible_os_family == "RedHat" + - ansible_distribution == "CentOS" tags: - redis-server @@ -79,23 +102,23 @@ tags: - redis-server -- name: (redis-server.yml) Check if file '/etc/redis/redis.conf.ORIG' exists +- name: (redis-server.yml) Check if redis configuration file exists stat: - path: /etc/redis/redis.conf.ORIG + path: "{{ _redis_conf }}.ORIG" register: redis_conf_exists tags: - redis-server -- name: (redis-server.yml) Backup existing file /etc/redis/redis.conf. - command: cp -a /etc/redis/redis.conf /etc/redis/redis.conf.ORIG +- name: (redis-server.yml) Backup existing redis configuration file. + command: cp -a "{{ _redis_conf }}" "{{ _redis_conf }}".ORIG when: - redis_conf_exists.stat.exists == False tags: - redis-server -- name: (redis-server.yml) adjust configuration '/etc/redis/redis.conf' +- name: (redis-server.yml) adjust redis configuration lineinfile: - dest: /etc/redis/redis.conf + dest: "{{ _redis_conf }}" regexp: "{{ item.regexp }}" insertafter: "{{ item.insertafter }}" line: "{{ item.key }} {{ item.val }}" diff --git a/roles/common/tasks/samba-config-server.yml b/roles/common/tasks/samba-config-server.yml index 6aabaa8..6a12792 100644 --- a/roles/common/tasks/samba-config-server.yml +++ b/roles/common/tasks/samba-config-server.yml @@ -19,7 +19,7 @@ path: "{{ item.path }}" owner: "root" group: "{{ item.group_write_list | default('root', true) }}" - mode: '2770' + mode: "{{ dir_create_mask | default('2770', true) }}" state: directory recurse: no with_items: "{{ samba_shares }}" diff --git a/roles/common/tasks/systemd-services_debian_based_OS.yml b/roles/common/tasks/systemd-services_debian_based_OS.yml new file mode 100644 index 0000000..dc0fa15 --- /dev/null +++ b/roles/common/tasks/systemd-services_debian_based_OS.yml @@ -0,0 +1,61 @@ +--- + +- name: (systemd-services.yml) Check if Service Exists (Debian based OS) + shell: 'systemctl list-unit-files | grep -q -e "^{{ item }}.service";' + changed_when: "service_exists.rc > 1" + failed_when: "service_exists.rc > 1" + register: service_exists + with_items: + - "{{ debian_services_active_and_started }}" + +#- debug: msg="{{ service_exists.results }}" + +- name: (systemd-services.yml) Check if Service is disabled (Debian based OS) + shell: 'systemctl list-unit-files | grep -e "^{{ item.item }}.service" | grep -q "disabled";' + register: service_is_enabled + changed_when: "service_is_enabled.rc == 0" + failed_when: "service_is_enabled.rc > 1" + with_items: + - "{{ service_exists.results }}" + loop_control: + label: '{{ item.item }}' + when: + - item.rc == 0 + +#- debug: msg="{{ service_is_enabled.results }}" + +- name: (systemd-services.yml) Enable service + systemd: + name: "{{ item.item.item }}.service" + enabled: true + with_items: + - "{{ service_is_enabled.results }}" + loop_control: + label: '{{ item.item.item }}' + when: + - item.changed + +- name: (systemd-services.yml) Check if Service is active + shell: 'systemctl is-active {{ item.item }}.service' + register: service_is_active + changed_when: 'service_is_active.stdout == "inactive"' + failed_when: 'service_is_active.rc > 3' + with_items: + - "{{ service_exists.results }}" + loop_control: + label: '{{ item.item }}' + when: + - item.rc == 0 + + + +- name: (systemd-services.yml) Start service + systemd: + name: "{{ item.item.item }}.service" + state: started + with_items: + - "{{ service_is_active.results }}" + loop_control: + label: '{{ item.item.item }}' + when: + - item.changed diff --git a/roles/common/tasks/systemd-services_redhat_based_OS.yml b/roles/common/tasks/systemd-services_redhat_based_OS.yml new file mode 100644 index 0000000..e205f95 --- /dev/null +++ b/roles/common/tasks/systemd-services_redhat_based_OS.yml @@ -0,0 +1,64 @@ +--- + +- name: (systemd-services.yml) Check if Service Exists (RedHat based OS) + shell: 'systemctl list-unit-files | grep -q -e "^{{ item }}.service";' + changed_when: "service_exists.rc > 1" + failed_when: "service_exists.rc > 1" + register: service_exists + with_items: + - "{{ redhat_services_active_and_started }}" + when: + - ansible_os_family == "RedHat" + +#- debug: msg="{{ service_exists.results }}" + +- name: (systemd-services.yml) Check if Service is disabled (RedHat based OS) + shell: 'systemctl list-unit-files | grep -e "^{{ item.item }}.service" | grep -q "disabled";' + register: service_is_enabled + changed_when: "service_is_enabled.rc == 0" + failed_when: "service_is_enabled.rc > 1" + with_items: + - "{{ service_exists.results }}" + loop_control: + label: '{{ item.item }}' + when: + - item.rc == 0 + - ansible_os_family == "RedHat" + +#- debug: msg="{{ service_is_enabled.results }}" + +- name: (systemd-services.yml) Enable service + systemd: + name: "{{ item.item.item }}.service" + enabled: true + with_items: + - "{{ service_is_enabled.results }}" + loop_control: + label: '{{ item.item.item }}' + when: + - item.changed + +- name: (systemd-services.yml) Check if Service is active + shell: 'systemctl is-active {{ item.item }}.service' + register: service_is_active + changed_when: 'service_is_active.stdout == "inactive"' + failed_when: 'service_is_active.rc > 3' + with_items: + - "{{ service_exists.results }}" + loop_control: + label: '{{ item.item }}' + when: + - item.rc == 0 + + + +- name: (systemd-services.yml) Start service + systemd: + name: "{{ item.item.item }}.service" + state: started + with_items: + - "{{ service_is_active.results }}" + loop_control: + label: '{{ item.item.item }}' + when: + - item.changed diff --git a/roles/common/tasks/users-systemfiles.yml b/roles/common/tasks/users-systemfiles.yml index e30de12..85ef8f9 100644 --- a/roles/common/tasks/users-systemfiles.yml +++ b/roles/common/tasks/users-systemfiles.yml @@ -83,7 +83,7 @@ - bash # -- -# Copy .profile +# Copy .profile (Debian System) # --- - name: (users-systemfiles.yml) Check if users file '.profile.ORIG' exists @@ -93,6 +93,8 @@ loop: "{{ default_user }}" loop_control: label: '{{ item.name }}' + when: + - ansible_facts['distribution'] == "Debian" tags: - profile @@ -101,7 +103,9 @@ loop: "{{ profile_user_orig_exists.results }}" loop_control: label: '{{ item.item.name }}' - when: item.stat.exists == False + when: + - ansible_facts['distribution'] == "Debian" + - item.stat.exists == False tags: - profile @@ -116,6 +120,7 @@ loop_control: label: '{{ item.item.name }}' when: + - ansible_facts['distribution'] == "Debian" - item.stat.exists - lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_profile') tags: @@ -125,12 +130,16 @@ stat: path: /root/.profile.ORIG register: profile_root_orig_exists + when: + - ansible_facts['distribution'] == "Debian" tags: - profile - name: (users-systemfiles.yml) Backup existing users .profile file command: cp -a /root/.profile /root/.profile.ORIG - when: profile_root_orig_exists.stat.exists == False + when: + - ansible_facts['distribution'] == "Debian" + - profile_root_orig_exists.stat.exists == False tags: - profile @@ -142,10 +151,87 @@ group: root mode: 0644 when: + - ansible_facts['distribution'] == "Debian" - local_template_dir_root.stat.exists - lookup('fileglob', inventory_dir + '/files/homedirs/root/_profile') tags: - profile + +# -- +# Copy .bash_profile (CentOS/Fedora?/RedHat? System) +# --- + +- name: (users-systemfiles.yml) Check if users file '.bash_profile.ORIG' exists + stat: + path: "~{{ item.name }}/.bash_profile.ORIG" + register: bash_profile_user_orig_exists + loop: "{{ default_user }}" + loop_control: + label: '{{ item.name }}' + when: + - ansible_facts['distribution'] == "CentOS" + tags: + - profile + +- name: (users-systemfiles.yml) Backup existing users .bash_profile file + command: cp -a ~{{ item.item.name }}/.bash_profile ~{{ item.item.name }}/.bash_profile.ORIG + loop: "{{ bash_profile_user_orig_exists.results }}" + loop_control: + label: '{{ item.item.name }}' + when: + - ansible_facts['distribution'] == "CentOS" + - item.stat.exists == False + tags: + - profile + +- name: (users-systemfiles.yml) copy .bash_profile if it exists + copy: + src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_bash_profile') }}" + dest: "~{{ item.item.name }}/.bash_profile" + owner: "{{ item.item.name }}" + group: "{{ item.item.name }}" + mode: 0644 + loop: "{{ local_template_dir_default_user.results }}" + loop_control: + label: '{{ item.item.name }}' + when: + - ansible_facts['distribution'] == "CentOS" + - item.stat.exists + - lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_bash_profile') + tags: + - profile + + +- name: (users-systemfiles.yml) Check if file '/root/.bash_profile.ORIG' exists + stat: + path: /root/.bash_profile.ORIG + register: profile_root_orig_exists + when: + - ansible_facts['distribution'] == "CentOS" + tags: + - profile + +- name: (users-systemfiles.yml) Backup existing users .bash_profile file + command: cp -a /root/.bash_profile /root/.bash_profile.ORIG + when: + - ansible_facts['distribution'] == "CentOS" + - profile_root_orig_exists.stat.exists == False + tags: + - profile + +- name: (users-systemfiles.yml) copy .bash_profile for user root + copy: + src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/root/_bash_profile') }}" + dest: "/root/.bash_profile" + owner: root + group: root + mode: 0644 + when: + - ansible_facts['distribution'] == "CentOS" + - local_template_dir_root.stat.exists + - lookup('fileglob', inventory_dir + '/files/homedirs/root/_bash_profile') + tags: + - profile # -- # Copy .vimrc diff --git a/roles/common/tasks/yum.yml b/roles/common/tasks/yum.yml new file mode 100644 index 0000000..972789e --- /dev/null +++ b/roles/common/tasks/yum.yml @@ -0,0 +1,53 @@ +--- + +- name: (yum.yml) Install system updates for centos systems + yum: + name: '*' + state: latest + update_cache: yes + #cache_valid_time: 3600 + when: + - ansible_os_family == "RedHat" + - ansible_distribution == "CentOS" + tags: + - yum-update + + +- name: Install the EPEL Repository in CentOS 7 + yum: + name: epel-release + state: latest + + +# Its more eficient to in +- name: (yum.yml) Base install CentOS packages (CentOS 7) + yum: + name: "{{ yum_base_install_centos_7 }}" + state: "{{ yum_install_state }}" + when: + - ansible_os_family == "RedHat" + - ansible_distribution == "CentOS" + - ansible_distribution_major_version == "7" + tags: + - yum-base-install + +- name: (yum.yml) Initial install CentOS packages (CentOS 7) + yum: + name: "{{ yum_initial_install_centos_7 }}" + state: "{{ yum_install_state }}" + when: + - ansible_os_family == "RedHat" + - ansible_distribution == "CentOS" + - ansible_distribution_major_version == "7" + tags: + - yum-initial-install + + +- name: (yum.yml) Install lxc_host related packages + yum: + name: "{{ yum_lxc_host_pkgs }}" + state: "{{ yum_install_state }}" + when: + - groups['lxc_host']|string is search(inventory_hostname) + tags: + - yum-lxc-hosts-pkgs diff --git a/roles/common/templates/usr/local/src/mailsystem/conf/install_postfixadmin.conf.j2 b/roles/common/templates/usr/local/src/mailsystem/conf/install_postfixadmin.conf.j2 index ef8b37d..766a3ff 100644 --- a/roles/common/templates/usr/local/src/mailsystem/conf/install_postfixadmin.conf.j2 +++ b/roles/common/templates/usr/local/src/mailsystem/conf/install_postfixadmin.conf.j2 @@ -147,7 +147,7 @@ APACHE_SERVER_KEY="privkey.pem" # - '/etc/mysql/debian.cnf' if MySQL is installed from debian package system # - '/usr/local/mysql/sys-maint.cnf' otherwise # - -#MYSQL_CREDENTIALS="" +MYSQL_CREDENTIALS='{{ mysql_credentials | default(omit) }}' # - The wa passwords will be encrypted.